Skip to main content
CVE-2026-9082 MEDIUM POC KEV PATCH THREAT NEWS GHSA Act Now

SQL injection in Drupal Core across six major version branches (8.9.0 through 11.3.x) enables remote unauthenticated attackers to manipulate database queries with no required privileges or user interaction, as confirmed by CVSS vector AV:N/AC:L/PR:N/UI:N. The vulnerability yields partial confidentiality and integrity impact per CVSS - enabling data enumeration and limited data manipulation - but does not grant full database control or server compromise. No active exploitation is confirmed (not listed in CISA KEV; SSVC exploitation status: none), but SSVC flags this as automatable, making opportunistic mass scanning against the large global Drupal install base a credible near-term risk.

SQLi Drupal Core
NVD GitHub VulDB Exploit-DB
CVSS 3.1
6.5
EPSS
0.0%
Threat
4.3
CVE-2026-45498 MEDIUM POC KEV PATCH THREAT NEWS Exploited Act Now

Denial of service in Microsoft Defender Antimalware Platform allows a local, unprivileged attacker to partially degrade availability with low attack complexity and no user interaction required. The CVSS 4.0 score reflects limited impact - confidentiality and integrity are unaffected, and availability impact is rated Low. Vendor patch is available via Microsoft Security Response Center; no public exploit identified at time of analysis and no CISA KEV listing.

Microsoft Denial Of Service
NVD VulDB
CVSS 3.1
4.0
EPSS
2.3%
CVE-2026-5776 MEDIUM POC PATCH This Month

Stored XSS in the Email Encoder WordPress plugin (all versions before 2.4.7) permits unauthenticated remote attackers to inject persistent malicious scripts by supplying unsanitized email addresses through public-facing input fields. Because the CVSS scope is Changed (S:C), injected payloads execute in victim browsers rather than the server context, enabling session hijacking, credential theft, or malicious redirects against any visitor who loads an affected page. A publicly available proof-of-concept exists per WPScan reporting; no public exploit identified at time of analysis as actively exploited via CISA KEV.

WordPress XSS
NVD WPScan VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-7385 MEDIUM POC PATCH This Month

The Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses.

WordPress Information Disclosure
NVD WPScan VulDB
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-4293 MEDIUM CISA This Month

Cross-site scripting in Kieback & Peter DDC building automation controllers allows a network-accessible attacker to inject and execute arbitrary JavaScript within a victim's browser session when interacting with the device's web interface. Affected models span the full DDC4000 product line - DDC4002, DDC4100, DDC4200, DDC4200-L, DDC4400, and their 'E' variants (DDC4002E, DDC4020E, DDC4040E, DDC4200E, DDC4400E) - representing widely deployed OT/ICS building management infrastructure. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; however, the ICS context elevates concern given the physical-world impact of compromised building controllers.

XSS Ddc4002 Ddc4100 Ddc4200 Ddc4200 L +7
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-42534 MEDIUM PATCH This Month

Resolution performance degradation in NLnet Labs Unbound 1.25.0 and earlier allows an unauthenticated remote attacker - who also controls a malicious or slow authoritative nameserver - to subvert the jostle logic designed to evict stalled queries, ultimately causing denial of resolution service. The jostle mechanism, which activates when the num-queries-per-thread limit is reached, is bypassed because retransmitted duplicate queries reset the aging timestamp to the latest duplicate rather than preserving the original query start time, preventing aged queries from being correctly identified and replaced. No public exploit has been identified at time of analysis; however, the vendor has confirmed the issue and released a patch in version 1.25.1.

Information Disclosure Unbound
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-44390 MEDIUM PATCH This Month

Denial of service in NLnet Labs Unbound 1.25.0 and earlier allows remote unauthenticated attackers to exhaust CPU resources by querying for content from a specially crafted malicious DNS zone containing very large RRsets whose records share no suffix above the root. The name compression logic fails to increment its bounding counter in this edge-case code path, causing an unbounded CPU-locking loop until packet construction completes. This is a complement fix to CVE-2024-8508, which introduced a compression limit in 1.21.1 that did not cover this specific bypass scenario; no public exploit has been identified at time of analysis.

Denial Of Service Unbound
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-42923 MEDIUM PATCH This Month

Unbound DNS resolver up to and including version 1.25.0 exposes a denial-of-service condition in its DNSSEC validation stack, specifically in the negative cache code path used to look up DS records. An adversary who controls a DNSSEC-signed zone can craft NSEC3 records with high-but-permissible iteration counts for child delegations, causing any vulnerable Unbound instance that queries those records to perform unbounded SHA-1 hash computations while holding a global negative cache lock - blocking all other threads that need cache access. No public exploit code exists and this is not listed in the CISA KEV catalog at time of analysis, but coordinated query floods against the vulnerable code path could escalate a single-instance slowdown into a full denial of service.

Denial Of Service Suse Red Hat
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-43620 MEDIUM PATCH This Month

Receiver-side out-of-bounds array read in Rsync 3.4.2 and earlier allows a malicious rsync server to deterministically crash any connecting client process via a crafted synchronization session. The flaw in recv_files() causes the client to dereference an invalid pointer at an unmapped address, producing a reliable SIGSEGV. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; however, the crash is described as deterministic, meaning any attacker controlling or impersonating an rsync server can reliably deny service to clients that connect.

Information Disclosure Buffer Overflow Rsync
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-45792 MEDIUM PATCH GHSA This Month

Silent output manipulation in RTK (Rust Token Killer) prior to v0.32.0 allows an attacker who can place a file in a repository to intercept and alter all shell command output before it reaches an LLM during AI-assisted development. The root cause is that RTK unconditionally loaded `.rtk/filters.toml` from the current working directory with highest priority and no user notification, enabling regex-based suppression or rewriting of file contents, diffs, and security scan results. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the attack surface - repository-committed config files silently hijacking LLM context - is particularly relevant to AI-assisted development pipelines where developers may not scrutinize every checked-in config.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-39311 MEDIUM PATCH This Month

Stored XSS-to-RCE chain in Trilium Notes versions 0.102.1 and prior allows a network attacker to execute arbitrary Node.js code on the server by tricking an authenticated user into viewing a malicious SVG attachment. The vulnerability exploits three compounding design flaws - unsanitized SVG serving with the image/svg+xml MIME type, a deliberately disabled Content Security Policy, and an unauthenticated-from-same-origin script execution endpoint at /api/script/exec - enabling full server compromise through a single user interaction. No public exploit code or CISA KEV listing has been identified at time of analysis, but the detailed disclosure in the GitHub security advisory provides a near-complete attack recipe; EPSS data was not available in the provided intelligence.

Node.js XSS RCE
NVD GitHub
CVSS 3.1
6.8
EPSS
0.1%
CVE-2026-35593 MEDIUM This Month

Path traversal via the attachment upload API in Trilium Notes 0.102.1 and prior allows an authenticated high-privilege attacker to read arbitrary files from the server's filesystem by supplying a controlled file path in a POST request body. The two-step exploitation pattern - POST to /api/attachments/{attachmentId}/upload-modified-file to stage a file, then GET from /api/attachments/{attachmentId}/download to retrieve its contents - effectively turns the attachment system into an unauthenticated file disclosure proxy once the initial write is performed. The CVSS Changed scope (S:C) reflects that exposed materials such as SSH keys, database credentials, and application configs can cascade into compromise of co-hosted services well beyond Trilium itself. No public exploit or CISA KEV listing has been identified at time of analysis.

Path Traversal RCE
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.1%
CVE-2026-45585 MEDIUM Exploit Likely This Month

Windows security feature bypass, publicly dubbed 'YellowKey', exposes systems to full confidentiality, integrity, and availability compromise via command injection (CWE-77) requiring only physical access - no credentials or user interaction needed. A proof-of-concept was released publicly prior to patch availability, violating coordinated disclosure norms, which lowers the attacker skill bar significantly. No vendor-released patch exists at time of analysis; Microsoft has confirmed the issue and is preparing a security update.

Microsoft Command Injection
NVD VulDB GitHub
CVSS 3.1
6.8
EPSS
0.1%
CVE-2026-20171 MEDIUM This Month

BGP session flapping denial-of-service in Cisco NX-OS on Nexus 3000 and 9000 Series Switches exposes data-center routing infrastructure to disruption from unauthenticated remote attackers. The flaw resides in the enforce-first-as BGP feature, where incorrect parsing of a transitive BGP attribute causes an affected switch to drop its BGP peer session and enter a flap loop upon receiving a crafted BGP UPDATE message. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis, though the Changed scope in the CVSS vector reflects that the instability can propagate beyond the directly attacked peer, amplifying network-wide impact.

Denial Of Service Cisco
NVD VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-41292 MEDIUM PATCH This Month

Unbound DNS resolver versions up to and including 1.25.0 allow remote unauthenticated attackers to degrade or deny service by sending DNS queries carrying abnormally large numbers of EDNS options, causing resolver threads to become occupied with unbounded parsing and internal data structure allocation. Coordinated multi-source attacks amplify thread exhaustion into full denial of service for legitimate DNS clients. No public exploit identified at time of analysis; vendor-released patch is available in Unbound 1.25.1, which enforces a hard cap of 100 incoming EDNS options.

Denial Of Service Unbound
NVD VulDB
CVSS 4.0
6.6
EPSS
0.0%
CVE-2026-40622 MEDIUM PATCH This Month

Ghost domain name extension in NLnet Labs Unbound 1.16.2 through 1.25.0 allows an adversary controlling an expired ghost zone to artificially prolong its resolvability by causing Unbound to overwrite the cached parent-side referral NS rrset with the child-side apex NS rrset, extending the ghost domain window by up to one full cache-max-ttl interval. The attack requires the adversary to control the target ghost zone and issue a single NS query to a vulnerable resolver; in non-default configurations using 'harden-referral-path: yes', no external query is needed as Unbound performs the triggering lookup internally. No public exploit identified at time of analysis and no CISA KEV listing exists; the CVSS 4.0 Exploit Maturity is rated 'Unreported', though the integrity impact on DNS resolution is high (VI:H) and represents a meaningful trust boundary violation.

Information Disclosure Unbound
NVD VulDB
CVSS 4.0
6.6
EPSS
0.0%
CVE-2026-6072 MEDIUM This Month

Authentication bypass in the Oliver POS WooCommerce Point of Sale WordPress plugin (all versions through 2.4.2.6) allows unauthenticated remote attackers to gain full access to the plugin's REST API namespace by exploiting PHP type juggling in the permission callback. On fresh installations where the admin has not yet completed the connection wizard, the stored authorization token is unset (PHP false), and sending the header 'OliverAuth: 0' satisfies the loose comparison '0' == false, returning true and granting unrestricted access to all /wp-json/pos-bridge/* endpoints. Successful exploitation enables reading administrator account details, updating user profiles including email addresses, deleting non-admin users, and ultimately resetting the admin email to achieve full WordPress site takeover. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

WordPress PHP Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-20240 MEDIUM PATCH This Month

Denial of Service in Splunk Enterprise and Splunk Cloud Platform allows a low-privileged authenticated user to render the entire instance non-functional by exploiting missing input validation in the `coldToFrozen.sh` script bundled with the `splunk_archiver` app. The script accepts arbitrary file paths and renames them without restricting operations to safe directories, enabling renaming of critical Splunk system directories. No public exploit or CISA KEV listing has been identified at time of analysis, but the low privilege requirement (PR:L per CVSS) makes this actionable for any authenticated non-admin user in multi-tenant or enterprise deployments. A vendor patch is available via advisory SVD-2026-0504.

Denial Of Service Splunk
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-40102 MEDIUM PATCH This Month

ORM Field Reference Injection in Plane versions 1.3.0 and below enables any authenticated workspace MEMBER to exfiltrate sensitive data - including bcrypt password hashes, API tokens, and user email addresses - via a single crafted GET request. The SavedAnalyticEndpoint omits the field allowlist validation present in the regular AnalyticsEndpoint, passing the user-supplied segment parameter directly into Django F() expressions, which then traverse foreign-key relationships and return referenced field values in the JSON response. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the attack is trivially reconstructable from the public GHSA-93x3-ghh7-72j3 advisory and the exfiltrated data directly enables secondary attacks.

Information Disclosure Nosql Injection Python
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-9122 MEDIUM PATCH This Month

Out-of-bounds read in the GPU process of Google Chrome on macOS prior to 148.0.7778.179 exposes potentially sensitive data from process memory to remote attackers. Exploitation requires a victim to visit a crafted HTML page (CVSS UI:R), limiting automation potential - consistent with SSVC's 'Automatable: no' determination. No public exploit identified at time of analysis and CISA has not added this to the Known Exploited Vulnerabilities catalog; Chrome's own severity rating is Medium.

Information Disclosure Google Buffer Overflow Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-20238 MEDIUM PATCH This Month

Unauthorized data disclosure in Splunk AI Toolkit versions below 5.7.3 allows authenticated low-privileged users to bypass srchFilter-based access controls and read confidential data scoped to more restricted custom roles. The flaw stems from the Splunk platform's behavior of combining inherited search filters via the OR SPL operator, causing the permissive filter injected by the AI Toolkit's authorize.conf to override stricter filters on child roles. No active exploitation confirmed (not in CISA KEV) and no public exploit identified at time of analysis, but the CVSS confidentiality impact is rated High, making this a meaningful data exposure risk in multi-tenant or compliance-sensitive Splunk deployments.

Authentication Bypass Splunk
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-8685 MEDIUM This Month

SQL Injection in the Infility Global WordPress plugin (all versions through 2.15.16) allows authenticated attackers holding only a Subscriber-level account to append arbitrary SQL to existing database queries and extract sensitive information. The vulnerability originates in the show_control_data::post_list() function, which is registered as an admin menu page gated only by the 'read' capability - the lowest WordPress capability tier. With CVSS C:H and no integrity or availability impact, the primary real-world risk is wholesale database exfiltration on any site with open user registration. No public exploit has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

WordPress SQLi
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-8487 MEDIUM PATCH This Month

Incorrect default permissions in Progress Software MOVEit Automation expose embedded sensitive data to authenticated low-privileged users over the network. Affected versions span the 2025.0.x line before 2025.0.11 and the 2025.1.x line before 2025.1.7. The CVSS vector (AV:N/AC:L/PR:L/UI:N/C:H) indicates that any network-accessible instance running a vulnerable version can be exploited by a legitimately authenticated user with minimal privileges, resulting in high confidentiality impact with no integrity or availability loss. No public exploit identified at time of analysis and this CVE is not listed in CISA KEV.

Information Disclosure Privilege Escalation Moveit Automation
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-44923 MEDIUM This Month

SQL injection in Veritas InfoScale Operations Manager (VIOM) prior to v9.1.3 enables remote, unauthenticated attackers to escalate privileges via crafted requests. The vulnerability is network-accessible with no authentication or user interaction required, and SSVC scoring confirms it is automatable, lowering the bar for mass exploitation. No public exploit or CISA KEV listing has been identified at time of analysis, but the unauthenticated attack surface and automatable classification make this a meaningful exposure for any internet-facing VIOM deployment.

SQLi
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-9150 MEDIUM PATCH This Month

Stack-based buffer overflow in libsolv's Debian metadata parser allows remote, unauthenticated attackers to cause a denial of service by serving maliciously crafted Debian repository metadata containing SHA384 or SHA512 checksum tags. The root cause, confirmed by the GitHub PR #616 diff, is a statically allocated 65-byte stack buffer in `ext/repo_deb.c` sized only for SHA256 digests, which is overflowed by the larger SHA384 (96 hex chars) and SHA512 (128 hex chars) values. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; an upstream fix is available as an open pull request.

Debian Denial Of Service Stack Overflow Buffer Overflow Libsolv +5
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-21836 MEDIUM This Month

HCL DominoIQ's Retrieval-Augmented Generation (RAG) feature fails to enforce document-level access controls when processing AI queries, allowing authenticated low-privileged users to retrieve sensitive Domino documents they are not authorized to view. Affecting the AI query subsystem of HCL DominoIQ, this broken access control flaw carries a CVSS 6.5 with High confidentiality impact, reflecting meaningful data exposure risk in enterprise Domino deployments. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Information Disclosure Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24573 MEDIUM PATCH This Month

Stored XSS in the Themeisle Visualizer WordPress plugin (all versions before 4.0.0) allows an authenticated low-privileged user to inject persistent malicious scripts into chart or visualization content. When a victim user subsequently views the affected page, the injected script executes in their browser within a changed scope (S:C), meaning impact extends beyond the attacker's own session to other users. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but the low attack complexity and network-accessible vector make this straightforward to abuse on sites with open or loosely controlled contributor registration.

XSS Visualizer
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27405 MEDIUM This Month

Broken access control in the WpBookingly WordPress plugin (Magepeople Inc.) through version 1.2.9 enables network-authenticated high-privilege users to perform unauthorized integrity and availability-impacting actions against the booking management system. Rooted in CWE-862 (Missing Authorization), the plugin fails to enforce proper authorization checks on one or more endpoints, allowing exploitation of incorrectly configured access control levels. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

Authentication Bypass Wpbookingly
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-5293 MEDIUM This Month

Stored Cross-Site Scripting in the Diagnosis Generator (診断ジェネレータ作成プラグイン) WordPress plugin allows any subscriber-level authenticated user to write arbitrary JavaScript into WordPress theme files by exploiting a missing capability check in themeFunc(). The payload persists in theme files and executes in every site visitor's browser upon loading any page containing the diagnosis form shortcode, giving a single low-privilege attacker persistent, cross-user script execution. No public exploit has been identified at time of analysis, but the subscriber-level access requirement makes this a broad risk on any WordPress site with open user registration.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-2955 MEDIUM This Month

Stored Cross-Site Scripting in the AI Chatbot & Workflow Automation by AIWU WordPress plugin (versions ≤1.4.14) allows injection of arbitrary web scripts via the unsanitized X-Forwarded-For HTTP request header. The injected payload persists server-side and executes in the browser of any user who accesses an affected page, enabling session hijacking, credential theft, or malicious redirects. No public exploit has been identified at time of analysis, and no CISA KEV listing exists, though practical exploitation is further constrained by a 20-character storage limit on the injected value.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-35070 MEDIUM PATCH This Month

Command injection in Dell SmartFabric Storage Software versions prior to 1.4.5 enables a high-privileged local attacker to gain unauthorized read and write access to the underlying filesystem. Exploitation requires local system presence and high-level privileges, with the CVSS vector (AV:L/AC:H/PR:H) indicating a constrained threat surface despite the high confidentiality, integrity, and availability impact scores. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV.

Dell Command Injection
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6397 MEDIUM This Month

Stored Cross-Site Scripting in the CVMH Sticky plugin for WordPress (versions ≤2.5.6) enables authenticated contributors to inject persistent JavaScript via the `readmoretext` attribute of the `[cvmh-sticky]` shortcode. The payload executes in the browsers of any visitor loading a page containing the injected shortcode, enabling session hijacking, credential theft, or privilege escalation by targeting administrators. No public exploit is identified at time of analysis and this vulnerability is not listed in CISA KEV, but Wordfence has confirmed the flaw with direct code-level references.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6549 MEDIUM This Month

Stored Cross-Site Scripting in the Logo Manager For Enamad WordPress plugin (versions up to and including 0.7.4) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'title' attribute of three shortcodes - vc_enamad_namad, vc_enamad_shamed, and vc_enamad_custom. The injected payload executes in the browser of any user who subsequently visits the compromised page, enabling session hijacking, credential theft, or malicious redirects against site visitors and administrators. No public exploit code or active exploitation has been identified at time of analysis; however, the low privilege requirement (contributor) broadens the realistic attacker pool on multi-author WordPress sites.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8038 MEDIUM This Month

Stored Cross-Site Scripting in the Faces of Users WordPress plugin (all versions through 0.0.3) allows authenticated attackers with Contributor-level access or above to inject persistent malicious JavaScript via the 'default' attribute of the 'facesofusers' shortcode. Once injected, the payload executes silently in the browser of any user who visits the compromised page, enabling session theft, credential harvesting, or malicious redirects targeting higher-privileged users including administrators. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-24142 MEDIUM This Month

Deserialization of untrusted data in NVIDIA TensorRT-LLM across all platforms allows a local, low-privileged attacker to achieve code execution, data tampering, and information disclosure by exploiting an unsafe serialized handle. The CVSS Changed Scope (S:C) indicates the impact can extend beyond the vulnerable component itself - notable given TensorRT-LLM's role as an inference serving library often integrated into multi-tenant or production AI infrastructure. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Deserialization Nvidia Information Disclosure RCE
NVD VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-43617 MEDIUM PATCH This Month

Hostname-based ACL bypass in the rsync daemon (rsync ≤ 3.4.2) allows unauthenticated remote attackers to circumvent administrator-configured deny rules when the daemon runs with chroot enabled. By manipulating the PTR record for their source IP or engineering a reverse DNS resolution failure, an attacker causes the daemon to fall back to the default hostname 'UNKNOWN', which does not match any configured deny entry and therefore permits the connection. Confidentiality and integrity are both partially at risk; no public exploit has been identified at time of analysis, and a vendor-released patch (v3.4.3) is available.

Authentication Bypass Rsync
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-20206 MEDIUM This Month

Command injection in the BrowserBot component of Cisco ThousandEyes Enterprise Agent (CWE-78) allows authenticated SaaS users with transaction test management privileges to execute arbitrary OS commands inside the BrowserBot container as the unprivileged 'node' user. Exploitation requires valid ThousandEyes SaaS credentials and the ability to manage transaction tests, scoping the realistic threat primarily to insiders and compromised privileged accounts. Cisco has already deployed a remediation server-side; no customer action is required. No public exploit code or CISA KEV listing exists at time of analysis.

Cisco Command Injection
NVD
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-7462 MEDIUM This Month

Reflected Cross-Site Scripting in the VatanSMS WP SMS WordPress plugin (all versions through 1.01) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized `page` parameter, executing in the context of a logged-in administrator's browser session. Exploitation requires social engineering an administrator into clicking a crafted link, making this a medium-severity but realistic threat vector for WordPress site takeover or credential theft. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-8626 MEDIUM This Month

Reflected Cross-Site Scripting in the SponsorMe plugin for WordPress (all versions through 0.5.2) allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by tricking an authenticated user - likely a WordPress administrator - into clicking a specially crafted wp-admin/admin.php URL. The PHP_SELF superglobal is reflected unsanitized in two distinct locations within the same vulnerable function: a form action attribute (sponsorme.php:440) and an anchor href attribute (sponsorme.php:475), doubling the attack surface. No patch has been identified at time of analysis, and no public exploit or CISA KEV listing has been confirmed.

WordPress PHP XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-8624 MEDIUM This Month

Reflected XSS in the LJ Comments Import: Reloaded WordPress plugin (all versions ≤ 0.97.1) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in victim browsers by exploiting two distinct unsanitized echo points for the PHP_SELF variable in lj_comments_import.php (lines L129 and L161). The attack requires tricking an authenticated WordPress user into clicking a crafted link, making session hijacking and unauthorized administrative actions the primary post-exploitation risk. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity (AC:L, PR:N) and Changed scope make this a realistic threat to sites where the plugin is active.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-8627 MEDIUM This Month

Reflected Cross-Site Scripting in the Correct Prices WordPress plugin (versions up to and including 1.0) exposes any site running this plugin to script injection via crafted URLs. The correct_prices_page() function writes the raw value of $_SERVER['PHP_SELF'] into a form's action attribute without calling esc_url() or esc_attr(), allowing an attacker to break out of the HTML attribute context and inject arbitrary markup. CVSS vector PR:N confirms no authentication is required from the attacker, though exploitation is limited by a required user interaction (UI:R) - a victim must be tricked into following a specially crafted link. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code was identified at time of analysis.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-43618 MEDIUM PATCH This Month

Information disclosure in Rsync 3.4.2 and prior allows an authenticated remote sender to leak receiver process memory through an integer overflow in the compressed-token decoder. The flaw exposes environment variables, credentials, heap and stack contents, and library pointers, weakening ASLR and enabling follow-on exploitation; no public exploit identified at time of analysis, but Rsync 3.4.3 bundles the security fix.

Information Disclosure Integer Overflow Rsync
NVD GitHub VulDB
CVSS 4.0
6.1
EPSS
0.0%
CVE-2026-26028 MEDIUM PATCH GHSA This Month

HTML sanitizer bypass in CryptPad's Diffmarked.js allows remote unauthenticated attackers to inject arbitrary HTML into collaborative documents, completely defeating the platform's bounce sandboxing mechanism. All CryptPad versions prior to 2026.2.0 are affected; the CVSS scope change (S:C) reflects that exploitation crosses sandbox boundaries, enabling link injection and delivery of malicious interactive content to any user who opens a crafted document. No public exploit code has been identified at time of analysis and this CVE is not listed in CISA KEV, though the attack vector is network-accessible with no authentication required.

Microsoft Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-6395 MEDIUM This Month

Cross-Site Request Forgery chained to Stored Cross-Site Scripting in the Word 2 Cash WordPress plugin (versions ≤ 0.9.2) allows unauthenticated remote attackers to plant persistent JavaScript payloads inside the WordPress admin panel. The attack succeeds because the plugin's settings handler (w2c_admin()) performs no nonce verification, no input sanitization before storage, and no output escaping on retrieval - meaning a forged POST from any attacker-controlled page is indistinguishable from a legitimate admin save. No public exploit or CISA KEV listing has been identified at time of analysis, but the CVSS score of 6.1 with Changed scope reflects real post-exploitation reach within the admin context once triggered.

WordPress CSRF XSS
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-6391 MEDIUM This Month

Cross-Site Request Forgery in the Sentence To SEO WordPress plugin (all versions up to and including 1.0) allows unauthenticated remote attackers to inject persistent malicious scripts and overwrite plugin settings by forging admin form submissions against the unprotected create_admin_page() function. Because the CVSS vector carries Changed scope (S:C), a successfully forged request can achieve Stored XSS within the WordPress admin context, crossing the boundary from the plugin into the administrator's browser session. No public exploit code or active exploitation has been identified at time of analysis, and no KEV listing exists, but the attack class is well-understood and exploitation templates for WordPress CSRF-to-XSS chains are widely available.

WordPress CSRF
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-8420 MEDIUM This Month

Cross-Site Request Forgery in the BLOGCHAT Chat System WordPress plugin (all versions through 1.3.6.3) enables unauthenticated remote attackers to both update plugin settings and inject persistent malicious web scripts by tricking an authenticated site administrator into clicking a crafted link. The vulnerability stems from missing or incorrect nonce validation across multiple functions in wp-blogchat-widget.php (lines 208, 215, 222, 293), making it a compound CSRF+Stored XSS risk with Changed scope (S:C) in the CVSS rating. No public exploit code or CISA KEV listing has been identified at time of analysis.

WordPress CSRF
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-30691 MEDIUM This Month

Stored/reflected Cross-Site Scripting in @cyntler/react-doc-viewer v1.17.1 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by supplying a crafted .txt file for rendering. The TXTRenderer component unsafely casts raw file content directly as a ReactNode without sanitization, bypassing React's default escaping and enabling HTML/script injection. A publicly available proof-of-concept exists; no confirmed active exploitation in CISA KEV at time of analysis.

XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-0857 MEDIUM This Month

Cleartext storage of sensitive information in memory (CWE-316) affects both the Meona Client Launcher Component and the Meona Server Component from Mesalvo, exposing confidential data to local privileged attackers. The CVSS vector (AV:L/PR:H/S:C/C:H) indicates that a locally authenticated administrator can read sensitive material - likely credentials or session tokens - directly from process memory, with the changed scope suggesting this exposure can cascade to resources or components beyond the initially compromised process. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.

Information Disclosure Meona Client Launcher Component Meona Server Component
NVD
CVSS 3.1
6.0
EPSS
0.0%
CVE-2026-9100 MEDIUM PATCH This Month

The legacy GridFS API in the MongoDB C Driver fails to validate file metadata fields retrieved from the database, enabling crafted documents stored in a GridFS collection to trigger either a division-by-zero crash (denial of service) or an out-of-bounds read that exposes process memory contents to the caller. Versions in the 1.x branch before 1.30.8 and 2.x branch before 2.2.4 are affected per EUVD-2026-31132. The CVSS 4.0 score of 6.0 accurately reflects a constrained attack path requiring low-privilege database access and a pre-positioned malicious document (AT:P), with no public exploit identified at time of analysis.

Buffer Overflow Suse
NVD VulDB
CVSS 4.0
6.0
EPSS
0.1%
CVE-2026-9084 MEDIUM PATCH This Month

Account takeover in MISP's OidcAuth plugin (versions 2.5.0 through 2.5.37) enables an unauthenticated attacker holding a valid OIDC token from an insecure or untrusted IdP to authenticate as any local MISP user whose account has a NULL stored `sub` value. The vulnerability arises because the plugin unconditionally trusted the OIDC email claim to link identities to existing local accounts without verifying email ownership, bypassing authentication controls entirely (CWE-287). No public exploit has been identified and the vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 6.0 reflects adjacent network vector and high complexity conditions that constrain realistic exposure.

Authentication Bypass Misp
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy